Microsoft Issues Emergency Patch for Actively Exploited SharePoint Flaw
21st July 2025 | Blogs
Why You Need to Act Fast to Protect Your Business
If you use on-premises SharePoint, stop what you’re doing for a minute, because this is important. Microsoft just pushed out an emergency security update to fix a critical vulnerability in SharePoint Server that's already being exploited in the wild.
This isn't your run-of-the-mill Patch Tuesday fix. It’s a response to an active threat that's hitting organisations across multiple sectors, and the consequences could be severe. What’s the vulnerability? The flaw, tracked as CVE-2025-53770, allows attackers to execute code remotely, without authentication. All they need to do is send specially crafted data to your SharePoint server. And because it’s a deserialisation flaw, it can bypass MFA and SSO protections. Once inside, attackers can drop web shells, steal data, move laterally across your network, and potentially access Outlook, Teams, OneDrive, the works. Microsoft has also patched CVE-2025-53771, which is related and could be used in chained attacks.
Who’s affected?
This impacts on-premises SharePoint Server:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
If you're using SharePoint Online (via Microsoft 365), you're in the clear.
How serious is it?
Very. Since mid-July, security researchers have observed a surge in attacks using this vulnerability, especially targeting:
- Financial institutions
- Government agencies
- Healthcare organisations
- Education and research institutes
- Large enterprise networks
It’s been weaponised using a known toolset called ToolShell, and attackers are actively scanning and exploiting internet-facing SharePoint servers. In short: If your SharePoint is exposed, you may already be compromised.
What should you do right now?
Here’s a quick step-by-step action plan:
- Apply the patch immediately
Microsoft has released security updates for all affected SharePoint versions. You’ll find them via the Microsoft Security Update Guide or your usual update channels. - Rotate machine keys and restart IIS
This is crucial. The attackers are stealing ASP.NET machine keys to maintain persistence. Rotate those keys and restart IIS to invalidate any stolen ones. - Verify AMSI and update your AV
Make sure AMSI (Antimalware Scan Interface) is enabled and running in Full mode. If you’re using Microsoft Defender, get the latest signatures. If you're using a third-party solution, make sure it supports AMSI scanning. - Consider disconnecting internet-facing SharePoint
If you can’t patch right away, isolate your server from external access until you can. - Assume breach and start hunting
Look for signs of compromise. Key indicators include unusual payloads in __VIEWSTATE, newly dropped web shells, and abnormal authentication activity. We recommend running a full incident response investigation if you suspect exposure.
How can Workflo help?
Let’s be honest, patching is just one part of the equation. If your SharePoint server is critical to daily operations (and for most businesses, it is), this needs a fast and thorough response.
At Workflo Solutions, we’re already supporting clients with:
- Emergency patch deployment
- Key rotation and server hardening
- Incident response and forensic threat hunting
- Security audits to ensure there’s no ongoing compromise
- Long-term mitigation strategies
“We’ve seen vulnerabilities like this wreak havoc in environments that weren’t patched quickly. It’s not about ‘if’ anymore, it’s about acting before it’s too late.” – Kris Glen, Head of IT, Workflo Solutions
If you're unsure whether you're affected or if your patching process is robust enough, reach out to us today. We’ll get you covered and make sure your business isn’t the next headline.
Contact our IT team to get help immediately.
Stay safe
